Second, and possibly more importantly, WaPo reported that there has been an uptick in consumer complaints relating to companies charging hidden covid fees to cover the costs of personal protective equipment, enhanced cleaning, etc. The article states as follows:

“According to a survey by The Washington Post of attorney general offices and financial departments in 52 states and territories, U.S. consumers in 29 states have filed 510 complaints of coronavirus-related surcharges at dentist offices, senior living facilities, hair salons and restaurants.”

The article includes discussion of several facilities of the types listed above and fee-related complaints and conundrums.

As the readers of this blog know, customer complaints can contribute to regulatory scrutiny of individual businesses or business practices. Fees relating to safety equipment and cleaning may be allowed in many contexts, but they must be disclosed. Failure to disclose may run afoul of federal and state consumer protection laws. Put another way, there’s no shame in hiding your covid brows, but don’t try to hide covid fees.

________________________

For additional information on COVID-19 issues, visit our COVID-19 Response Resource Center. For advertising, privacy, and consumer protection issues, visit the Advertising and Privacy Law Resource Center and subscribe to the Ad Law Access podcast and blog.

Security and Confidentiality

Once the business selects a platform, it should issue company-provided videoconferencing accounts and implement a policy designating the approved platform as the sole authorized service. The business should also familiarize itself with and implement certain settings in that platform to improve the business’s security posture. For example, in Zoom, certain settings you should consider implementing include:

• Requiring participants to enter meeting passwords;
• Prohibiting participants from joining meetings until the host joins the meeting;
• Disabling the screen sharing option by participants other than the host;
• Disabling recording option by participants other than the host;
• Disabling the chat feature altogether, or if chat is enabled, it should be configured so that only messaging among the host and all participants (versus private messaging between participants) is permitted;
• Enabling a waiting room, which allows the host to decide who is allowed into the conference; and/or
• Enabling the use of automatically generated meeting IDs in lieu of personal meeting IDs.

If you are the host and you do opt to record a videoconference, you also need to consider where you want to save and store such recordings and the ramifications thereof. For example, Zoom provides users with the option of saving recordings on the Zoom cloud or to your desktop/server. If a user saves a recording of a videoconference to the Zoom cloud, that recording is in Zoom’s possession and is subject to Zoom’s retention policies and security procedures, remains outside your direct control, and is vulnerable to a potential data breach. Therefore, for security purposes, it may be prudent to save your confidential and sensitive recordings within your system or with your trusted vendor. Regardless of where you store such recordings, it is very important to save them in a central location so as to be able to locate them quickly and efficiently should the need arise. The expense of storing large video/audio recording files should also be taken into account.

Finally, businesses can further mitigate security and legal risks by providing training to their employees on the approved platform, the settings thereof, and the proper business use and etiquette of videoconferencing and issues associated with it. For example, employees should be reminded that videoconferences are a business tool, and the good business judgment and professionalism that is expected in the office is also expected and should be practiced during videoconferences. Moreover, it is important for employees to understand that they need to take precautions to maximize security and privacy when working remotely, including not holding videoconferences in a public place.

To Record Or Not To Record

Discovery implications of recording videoconferences

In making a decision as to whether or not to record some or all videoconferences, it is important to note that absent a legal obligation to record a conversation (for example financial services where one may be required to record a client’s permission for a transaction), there is likely no general duty to record your videoconferences. A videoconference is parallel to a face-to-face meeting that in the pre-COVID-19 world would have been memorialized by meeting notes or related correspondence, if at all. To think of it another way, when is the last time you set up a camera and pressed record before a meeting with a colleague in the office? Despite having the ability to do so using a widely available technology like your iPhone, the likely answer is never. And the fact you can record the same meeting today that is being held remotely because of COVID-19 with a touch of a button should not change your business practice.

As for recordings of videoconferences that already exist, there is likely no obligation to retain and preserve such data for any particular period of time absent a specific regulatory and/or legal requirement. However, please remember that legal obligations to retain data are based on the data’s content and not its format. In that regard, recordings of videoconferences are no different than an e-mail or any other record that may contain data that may be required to be retained for specific periods of time.

Absent any such requirement, to the extent you choose to record, recordings should only be retained while that information has value to the business. A business should update or implement a retention policy specifically addressing how and when such recordings will be maintained, preserved and destroyed. Indeed, as the Supreme Court of the United States has observed, regular disposition of data and information that is not required to be retained is a best information management practice. See Arthur Andersen LLP v. United States, 544 U.S. 696, 704 (2005) (“Document retention policies which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”) (internal citations and quotations omitted). Failure to implement specific and strict policies governing videoconference recordings and their retention and deletion will likely result in the proliferation of discoverable data and expenses associated with the preservation, collection and review of such data once a duty to preserve does arise.

Once litigation or an investigation is reasonably anticipated and the duty to preserve is triggered, all bets are off. Under common law and as expressly referenced in Federal Rule of Civil Procedure (“FRCP”) 37(e), a party must preserve documents and electronically stored information (“ESI”) when it reasonably anticipates litigation. There is no bright line rule when the duty to preserve arises and the threshold varies by jurisdiction but suffice it to say, it arises as soon as a business anticipates litigation or regulatory investigation. See e.g., Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold.’”). Once the duty to preserve is triggered, you are obligated to preserve documents and ESI in all forms if it is potentially relevant to the anticipated litigation or investigation and must suspend your routine document and ESI retention/destruction policy. To the extent any existing recordings of videoconferences are potentially relevant to the anticipated litigation or investigation, they would fall within the scope of the preservation obligation. Indeed, the business may be subject to severe spoliation sanctions under FRCP 37(e) if potentially relevant documents and ESI are subsequently deleted or lost, such as a monetary penalty, an adverse inference instruction to a jury or even striking of the party’s pleadings.

To the extent you have any doubt, a relevant and non-privileged recording of a videoconference is discoverable ESI. Under FRCP 34(A)(1)(a) and its state-law analogs, a party must produce in response to a proper request “[a]ny designated documents or electronically stored information —including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form . . . .” (Emphasis added). The 2006 Advisory Committee notes on FRCP 34 further explained the broad and expansive scope of what is covered by this language:

Discoverable information often exists in both paper and electronic form, and the same or similar information might exist in both. The items listed in Rule 34(a) show different ways in which information may be recorded or stored. Images, for example, might be hard-copy documents or electronically stored information. The wide variety of computer systems currently in use, and the rapidity of technological change, counsel against a limiting or precise definition of electronically stored information. Rule 34(a)(1) is expansive and includes any type of information that is stored electronically. A common example often sought in discovery is electronic communications, such as e-mail. The rule covers—either as documents or as electronically stored information—information “stored in any medium,” to encompass future developments in computer technology. Rule 34(a)(1) is intended to be broad enough to cover all current types of computer-based information, and flexible enough to encompass future changes and developments.

Finally, it is important to note that even unrecorded videoconferences generate data that may be subject to preservation obligations and discovery. For example, Zoom collects the IP address, operating system, and device details for all videoconference participants even if the video of the meeting itself is not recorded. Therefore, it is important to have a full understanding of what and how such additional data is generated and where and for how long is it stored when approving a videoconferencing platform for your business.

Do I need to or can I change what I do after a preservation obligation arises

The answer is not as clear, however, if a party changes its practice and stops recording videoconferences that it previously recorded after a duty to preserve has arisen. Although spoliation sanctions generally do not apply when a party has failed to create evidence, some courts have treated changes in business practice as suspect. See e.g., Braun v. Wal-Mart, Inc., 2008 Minn. Dist. LEXIS 109, *34 (Minn. Dist. Ct. Dakota Cty. June 30, 2008) (finding that changes in employment related record practice could have been due to both legitimate business reasons and reasons related to ongoing litigation). Accordingly, if a business makes the decision to record some or all of its videoconferences, it may be exposed to spoliation sanctions if it changes its business practice of recording after a preservation obligation has arisen. Of course, even if no sanctions are imposed, an adversary may use the optics of such a change in business practice against you.

Before recording consider consent and privacy laws of relevant jurisdictions

When videoconferencing with individuals in different states—or even different countries—it may be difficult to determine which laws apply. Thus, it is always best to obtain the consent of all participants before recording a videoconference. It is advisable to use a disclaimer in the meeting invitation that discloses that the videoconference will be recorded and to have the host of the videoconference remind the participants of that fact at the start as well. If you believe that it is important to record a videoconference and are unable to obtain the consent of one or more of the participants, make sure you understand the applicable laws of all jurisdictions in which the participants are located.

Key Takeaways and Best Practices

1. Select and approve a videoconferencing platform to be used by your business.
2. Implement specific default settings on the approved videoconference platform to improve security.
3. Implement employee training on the approved platform and proper business use of videoconferencing.
4. Unless there is a specific obligation or business purpose, implement a policy prohibiting or strictly limiting the recording of videoconferences.
5. To the extent recordings already exist or there is a specific business reason to make such recordings, update/implement a retention policy specifically addressing how and when such recordings will be maintained, preserved and destroyed and add specific language to your litigation hold notices concerning such recordings to make sure that they are retained if a preservation obligation arises.
6. For sensitive communications that would typically take place during in-person meetings, consider using a traditional form of communication like a telephone call as opposed to a videoconferencing platform.
7. If you have something sensitive to discuss on a videoconference, include your attorney on the videoconference. Although the mere presence of an attorney does not guarantee that the videoconference will be deemed privileged in a future litigation, it will certainly help make the recording non-discoverable.
8. Implement a procedure for obtaining consent from participants prior to recording a videoconference.

We have created checklist of general tips to help companies navigate return-to-work privacy and data security issues. In addition to designing COVID-19 testing and screening data collection programs that fit local and state reopening conditions, companies may also wish to consult key sources of federal guidance, including the following:

• EEOC’s Coronavirus and COVID-19 page, which links to guidance on complying with disability protection and non-discrimination obligations.
• OSHA’s COVID-19 site, which contains a broad array of enforcement guidance, general and industry-specific reopening guidelines, and other resources.
• The CDC’s reopening guidance for businesses and workplaces.

• Kelley Drye's COVID-19 Response Resource Center
• Advertising and Privacy Law Resource Center
• Kelley Drye’s Advertising Law Practice Page
• Ad Law Access Blog
• Ad Law Access Podcast
• Ad Law News and Views Newsletter
• Upcoming webinars:
  • Product and Earnings Claims in the Time of COVID-19
  • Trade Association Antitrust 101
  • Additional webinars will be announced soon

Earlier this week, federal regulators continued their efforts to combat the spread of products featuring allegedly false and misleading claims that products can diagnose, treat, cure, or prevent COVID-19. In warning letters issued to CBD Gaze, Alternavita, Musthavemom.com, and Careful Cents LLC, the agencies identify the respective recipients as participants in the Amazon Affiliate program. Amazon Affiliates are marketers who earn commissions by promoting products sold on Amazon. The letters state that the products at issue, which include essential oils, grapefruit seed extracts, cod liver oil, and others, feature false treatment and prevention claims such as the following:

• CBD Gaze: “Find the best CBD Oil to help fight Coronavirus.”
• Alternavita: “4 Proven Ways To Protect Yourself Against Coronavirus,” you represent that “Everyone is concerned about Coronavirus and looking for ways to protect themselves,” and then state the following:

“Grapefruit Seed Extract If you want a little extra daily protection GSE is a safe antibiotic . . . [Amazon associate link].”

• Musthavemom.com: “NATURAL REMEDIES FOR CORONAVIRUS. . .There are plenty of things you can do to boost your immune system and fight off any virus including coronavirus. Here are a few!” … “2. Vitamin D . . . This important vitamin plays a crucial role in immune health. Being deficient in Vitamin D can increase your risk of infection. I recommend this brand of Vitamin D [Amazon associates link] and starting at a minimum dose of 5,000 IU.” [from your website https://musthavemom.com/coronavirus-prevention-treatment-plan/]
• Careful Cents LLC: “How to Boost Your Immune System Naturally With Essential Oils to Fight Coronavirus” you state: “Can you use essential oils to boost your immune system and fight coronavirus? Yes! Essential oils are one of the best tools to strengthen your immune system naturally . . .”

The letters state that the products are unapproved new drugs and misbranded pursuant to the Food Drug and Cosmetic Act. Causing the introduction or delivery for introduction of these products into interstate commerce is prohibited under sections 301(a) and (d) of the FD&C Act, 21 U.S.C. § 331(a) and (d). The letters also state that “it is unlawful under the FTC Act, 15 U.S.C. 41 et seq., to advertise that a product can prevent, treat, or cure human disease unless you possess competent and reliable scientific evidence, including, when appropriate, well-controlled human clinical studies, substantiating that the claims are true at the time they are made. For COVID-19, no such study is currently known to exist for the product identified above. Thus, any coronavirus-related prevention or treatment claims regarding such product are not supported by competent and reliable scientific evidence.”

What’s the lesson? The difference between these letters and the warning letters that FDA and the FTC issued earlier this year is that these are targeted not to the company making the product or even the retail platform on which they are sold. They were sent to the middleman marketer, who likely does not produce or possess the product, but who is promoting and profiting from its sale. This is consistent with the FTC’s letters to product influencers in other marketing contexts but is a departure from FDA’s typical enforcement approach. Although we have seen FDA pursue retailers (particularly online ones), FDA has not made pursuit of marketing affiliates a priority. Clearly, regulators want affiliate marketers (Amazon or otherwise) to understand that they are not immune from enforcement if they are making aggressive or unsubstantiated health claims.

The FTC recently sent warning letters to companies for falsely claiming that their products can treat or prevent COVID-19. The latest episode of the Ad Law Access Podcast discusses the importance of keeping the current pandemic context in mind when making health claims more generally.

Listen on Apple, Google Podcasts, SoundCloud, Spotify, or wherever you get your podcasts.

For more information on these and other topics, visit:

• COVID-19 Response Resource Center
• Advertising and Privacy Law Resource Center
• Ad Law Access Blog
• Food and Drug Law Access
• Advertising and Privacy Law Resource Center
• Ad Law News and Views Newsletter

The Warning Letters

The agencies identified the three VoIP gateway providers as the sources of the illegal calls through the efforts of the USTelecom Industry Traceback Group, a consortium of phone companies that help officials identify potentially unlawful calls. The phone companies used a process known as “traceback,” in which they share information to trace unlawful spoofed robocalls to their origination.

In the letters, the agencies reminded the companies that the COVID-19 scam robocalls are in fact illegal and directed them to cease transmitting the traffic immediately, as the calls have “the potential to inflict severe harm on consumers.” The letters warned the companies that if they did not stop transmitting the identified traffic within 48 hours, the FCC would authorize other U.S. voice providers to block all calls from the companies and take any other steps necessary to prevent transmission of the calls. The agencies also sent a separate letter to USTelecom advising the trade association that, if the VoIP providers do not block the traffic, the FCC will authorize other U.S. service providers to block all calls coming from that gateway and will take other actions as necessary to authorize U.S. service providers to block traffic from the originating entities. In addition, the FCC encouraged other service providers to take immediate action to block unlawful calls pursuant to existing legal authority.

This action is a significant – and significantly aggressive – new approach by the agencies. While both agencies have taken actions to prevent and deter unlawful robocalls, the threat to block traffic from the originating carrier is a new tactic in the fight against unlawful calls. Notably, it is not clear under what authority the FCC can or would order the blocking of all traffic from the subject VoIP gateway providers if they failed to block the allegedly unlawful robocalls. The letter does not cite any provision of the Communications Act that would authorize such blocking. Moreover, existing FCC orders relating to call blocking have authorized only limited call blocking practices that were optional for the carriers. Were the FCC to order such blocking (and to make it mandatory), it appears that such action would be the first of its kind by the agency.

Briefly, we will review the agencies’ recent history with anti-robocall activities.

The Educare Services Enforcement Action and Prior FTC Warning Letters

In the three letters to the VoIP gateway providers, the FCC and FTC reference the FTC’s recent enforcement action against VoIP provider Globex Telecom. This action relied upon provisions of the FTC’s Telemarketing Sales Rule (“TSR”), which addresses calls made for a telemarketing purpose. In December 2019, the FTC obtained a preliminary injunction against Educare Services and Globex Telecom Inc. for robocalling consumers to promote allegedly fraudulent credit card interest rate reduction services. The FTC complaint alleges that Globex played a key role in “assisting and facilitating” the illegal credit card interest rate reduction services Educare promoted by providing Educare with the means to call consumers via interconnected VoIP communication services and facilities. For a VoIP company to be liable under a TSR “assisting and facilitating” theory, the FTC must prove that the company “knew or consciously avoided knowing” the robocall campaigns violated the TSR.

A week before the joint letters, the FTC sent letters to nine VoIP service providers and other companies warning them that “assisting and facilitating” in the transmission of illegal COVID-19-related telemarketing or robocalls is unlawful. The agency also sent letters to nineteen VoIP service providers in January with a similar warning about all illegal robocalls.

FCC TRACED Act Implementation and the STIR/SHAKEN Mandate

Like the FTC, the FCC recently shifted its focus in robocall enforcement towards the originating carriers. On February 4, 2020, the FCC’s Enforcement Bureau sent letters to seven VoIP gateway service providers, notifying them that unlawful robocalls had been traced to their networks and asking for their assistance in tracking down the originators of the calls. Although no enforcement action was threatened at the time, the FCC also asked each provider to detail their anti-robocall efforts to the Commission.

More recently, the FCC took several steps in implementing the TRACED Act, which requires the FCC to initiate several near-term rulemakings and other actions aimed at addressing unlawful spoofing and robocalling operations. On March 27, the agency adopted a Report and Order and Further Notice of Proposed Rulemaking establishing rules for the registration of a single consortium to conduct private-led “traceback” efforts, which is expected to formalize the relationship with the USTelecom Industry Traceback Group. Additionally, on March 31, the FCC adopted a separate Report and Order and Further Notice of Proposed Rulemaking mandating that originating and terminating voice service providers implement the STIR/SHAKEN framework in the IP portions of their networks by June 30, 2021. STIR/SHAKEN—the technology framework behind the “traceback” process—allows providers to verify that the caller ID information transmitted with a particular call matches the caller’s number as the calls are passed from carrier to carrier. FCC Chairman Pai previously urged major providers to adopt STIR/SHAKEN technology voluntarily and warned that the voluntary approach would become a mandate if the providers did not move fast enough. Still to come are comments on a “know your customer” obligation for service providers and rules to deny access to numbering resources to originators of unlawful calls.

As we have previously noted, the TRACED Act also requires the implementation of an alternative call authentication framework in non-IP networks, extends the FCC’s statute of limitations for bringing some illegal robocall enforcement actions, and eliminates the requirement to give warnings before issuing certain filings.

Takeaways

These letters, coupled with the recent activity by the FTC and FCC to combat illegal robocalls, signal the agencies’ desire to cause a meaningful reduction in unlawful calling, and in particular, demonstrate a desire to prevent scammers from taking advantage of the COVID-19 crisis to carry out their deceptions. Both agencies can seek civil penalties and take other actions necessary to prevent the proliferation of these calls.

Importantly, the targets of agency action are not necessarily limited to the entities that place the unlawful calls. These federal actions are a good reminder for VoIP and other service providers to assess whether their customers’ practices may indicate unlawful use of VoIP or other services. With the warning letters, and now these blocking letters, the FCC and FTC increasingly are showing an openness to pursuing penalties under vicarious liability theories. If there are facts that support knowledge of the unlawful activity or “red flag” type practices (such as a customer being the target of multiple third party government subpoenas, among other facts), that’s a good indication that further steps by the VoIP provider may be warranted to mitigate the risk of facing an enforcement action by the FTC or FCC. If you have questions about how these enforcement trends and related risk factors are relevant to your business, please contact your Kelley Drye counsel.

States of Emergency: Two states, New York and Louisiana, prohibit certain telemarketing calls during declared states of emergency.

• New York: The prohibition applies to any unsolicited telemarketing sales call to any person under a declared state of emergency. Calls made (1) in response to an express written or verbal request, or (2) in connection with an existing business relationship, are not “unsolicited” and are therefore permissible. Importantly, it is ambiguous as to whether this prohibition also covers business-to-business telemarketing calls. The provision applies to unsolicited telemarketing sales calls made to any person during a declared state of emergency. The statute defines “person” to include businesses, but the other telemarketing provisions in the statute are limited to business-to-consumer calls.
• Louisiana: The prohibition applies to all telemarketing calls to consumers, except those made (1) within six months of an express request, or (2) pursuant to an existing business relationship or a prior business relationship that has lapsed within six months.

These are difficult times, but we are happy to help, so please do not hesitate to reach out to us or to check out the Kelley Drye COVID-19 Resource Center.